Tuesday, April 19, 2016

A number of outlets are pointing to an alarming spike in Apple’s national security requests, as reflected in its privacy numbers (though I think they are exaggerating the number). Here’s what the numbers look like since it began reporting national security requests. [I’ll put this in a table later, but I’m trying to get this done in the last window I’ll have for a while.]

As you can see, Apple’s numbers were already rising from a baseline of 0-249 for both categories in the second half of 2014 (not incidentally when encryption became default), though really started to grow the first half of last year. Where the request-to-number-of-accounts affected ratio has differed, it shows more requests received than accounts affected, suggesting either that Apple is getting serial requests (first iMessage metadata, then content), or that the authorities are renewing requests — say, after a 90-day 215 order expires (though Apple reiterates in this report that they have never received a bulk order, so they are presumably, but not definitely, not the additional bulk provider that appears to have shown up in the June 29 order last year. The number of requests may have doubled or even nearly tripled in the reporting reflecting the first half of last year, and may have almost doubled again, but it appears that Apple continues to get multiple orders affecting the same account.

In other words, this appears to be a spike in the number of accounts affected, accompanied by a more gradual spike in the orders received, but it follows on what could be a straight doubling of both categories from the prior period.

It appears Apple is reporting under paragraph 3 reporting, described as follows.

(3) A semiannual report that aggregates the number of orders, directives, or national security letters with which the
person was required to comply in the into separate categories of–

(A) the total number of all national security process received, including all national security letters, and orders or directives under this Act, combined, reported in bands of 250 starting with 0-249;
and

(B) the total number of customer selectors targeted under all national security process received, including all national security letters, and orders or directives under this Act, combined, reported in bands of 250 starting with 0-249.

[snip]

(2) A report described in paragraph (3) of subsection (a) shall include only information relating to the previous 180 days.

That should work out to the same reporting method they were using, provided there was no 2-year delay in reporting of a new kind of production, which doesn’t appear to have happened.

One possible explanation of what’s partly behind the increase is that the more recent number reflects USA Freedom Act collection. USAF became law on June 2, with the new 2-hop production going into effect on November 29. Marco Rubio made it clear last year that USAF extended the 2-hop collection to “a large number of companies.” The Intelligence Authorization made it clear a fair number of companies would be covered by it as well. In its discussion of what kind of responses it gave to San Bernardino requests Apple said they got legal process.

Especially given that Apple is a “phone company,” it seems highly likely the government included iMessage data in its roll out of the expanded program (which, multiple witnesses have made clear, was functioning properly in time for the December 2 San Bernardino attack). So it’s quite possible what look to be 500 first-time requests are USAF’s new reporting, though that would seem to be a very high number of requests for the first month of the program.

Probably, the bulk of the increase is from something else, perhaps PRISM production, because iMessage is an increasing part of online communication. Apple’s numbers are still far below Google’s (though Yahoo’s had a big drop off in this reporting period). But it would make sense as more people use iMessage, it will increase Apple’s PRISM requests.

Update: This post has been updated to better reflect my understanding of how this reporting and the new production work.

No comments:

Post a Comment

To reduce spam, this alternate site requires users register to comment or use OpenID. Comments on posts more than (5) days old subject to moderation. Comments posted at this site will not appear at the original/primary site.